Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Windows

Researchers Bypassed Windows Password Locks With Cortana Voice Commands (vice.com) 90

Two independent Israeli researchers found a way for an attacker to bypass the lock protection on Windows machines and install malware by using voice commands directed at Cortana, the multi-language, voice-commanded virtual assistant that comes embedded in Windows 10 desktop and mobile operating systems. From a report: Tal Be'ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use https -- that is, a web address that does not encrypt traffic between a user's machine and the website. The attacker's malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.
This discussion has been archived. No new comments can be posted.

Researchers Bypassed Windows Password Locks With Cortana Voice Commands

Comments Filter:
  • Physical access (Score:5, Informative)

    by Gavagai80 ( 1275204 ) on Wednesday March 07, 2018 @12:10PM (#56221973) Homepage

    Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      The manufacturers have already done that!

    • by Anonymous Coward

      Hey, lets see you put whatever devices you want inside a machine with bitlocker enabled ! Oh wait, that's right, it will lock itself down and say the hardware changed. On the other hand, this exploit of Cortana will allow you to bypass bitlocker and defeat the security....

    • This does not require physical access. A device can be reasonably securedfrom tampering, but stillbe accessible by various interfaces. Physical access is typically available when one has access to the microphone, but physical access isn't required in all possible scenarios.
    • If you can plug in a USB key, there's a much easier way to access the PC. Just install Kon-boot on the USB drive first, plug it in, and boot the PC. You're in. This works on Workgroup and Domain PCs, Servers, etc. Not sure what username to use? Try administrator...

      As for the subject of the original article: way to go MS... EPIC fail. Can't say I'm surprised though.

      • If you can plug in a USB key, there's a much easier way to access the PC. Just install Kon-boot on the USB drive first, plug it in, and boot the PC.

        Doesn't work if the device is encrypted. Doesn't work if BIOS doesn't allow booting from USB. Probably won't work on most modern devices which have secure boot enabled by default.

        (Don't quote me on the last one)

      • by Calydor ( 739835 )

        This one has the advantage of not requiring a reboot, which means you can plug the USB in, do the voice commands, remove the USB, and the owner that returns from the bathroom a moment later will be none the wiser - the screen comes back up right on the Facebook post they were reading before.

    • unscrew the laptop and put whatever devices you want inside

      What's a screw? Mine is held together by glue and I couldn't get in myself even if I wanted to.

      • by Khyber ( 864651 )

        Heat guns work on pretty much every adhesive, including solder.

        • Heat guns work on pretty much every adhesive, including solder.

          The good news is, I got the cover off. The bad news is, there's a bunch of little chippy things rattling around.

        • Heat guns work on pretty much every adhesive, including solder.

          I take it you haven't looked at the iFixit scores for some tablets. In many cases it's pretty much impossible to get into some devices without destroying the screen in the process.

          • by Khyber ( 864651 )

            Half the time they aren't even using the proper equipment, (get a real spudger, guys) so I don't bother with their reviews.

            • Half the time they aren't even using the proper equipment, (get a real spudger, guys) so I don't bother with their reviews.

              Yeah indeed, let's complain about the people who open devices for a living don't have the right equipment and then draw parallels to some field based quick espionage.

              • by Khyber ( 864651 )

                "Yeah indeed, let's complain about the people who open devices for a living"

                No, they make videos for a living. I open devices for a living, far more than they have ever done. Hundreds of thousands in repair depots around the country.

            • (get a real spudger, guys)

              But from where?

              https://www.ifixit.com/Search?... [ifixit.com]

    • Since this requires physical access, I propose an alternate method: unscrew the laptop and put whatever devices you want inside.

      Physical access is irrelevant in this case. From TFA:

      "allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer's browser and go to a web address that does not use httpsâ"that is, a web address that does not encrypt traffic between a user's machine and the website."

      In other words it is not necessary to install a BIW device. Any bad actor could intercept traffic at any point along the path or one could operate th

      • Further down it was propose that an infected computer in an office could similarly infect neighboring computers via voice commands. Infect one machine through a locked door, and get the entire office infected overnight.

        "So this attack is not only limited to the physical access scenario but also can be used by attackers to expand their access and jump from one computer to another"

    • That won't let you access any of the data, at least not if BitLocker is on. If you modify the hardware configuration, the TPM won't prouce the BitLocker key and the machine won't boot. It's just generic hardware at that point.
    • or perhaps best suited for a movie...

      but I somehow would like to see someone remotely hack an Alexa to utter voice commands to Cortana, to bypass Windows security and gain access to "sensitive files"...

      Who knows maybe they will get into an argument, or have built in hard-coding to give each other the silent treatment.

      As far as the movie option, it'll probably never happen as the producers would probably get sued into oblivion by the tag team of Amazon and Microsoft...

  • by h8sg8s ( 559966 ) on Wednesday March 07, 2018 @12:11PM (#56221985)

    Just another reason to not use Cortana or any of the other voice-activated appliances from Amazon, Apple, Google, etc.

    • Logic failure. It is a reason not use Cortana. It's not a reason to not use Amazon, Apple, or Google.
      • by zlives ( 2009072 )

        limiting exposure is never a logic fail. what are the chances that the other software vendors don't have a zero day exploit on code written by monkeys.
        you have to do a cost analysis.

      • Logic failure. It is a reason not use Cortana. It's not a reason to not use Amazon, Apple, or Google.

        How do you know it isn't via Siri that the security firms get into Apple devices?

    • Just another reason to not use Cortana or any of the other voice-activated appliances from Amazon, Apple, Google, etc.

      Or have it not respond to vocal commands without a password, preferably one locked to a voice print and not just specific words, when locked down. However, given that I doubt anybody making these products will institute such a basic level of security until it's established that they cannot shift responsibility for security to a user when they either did not have the ability to secure it available, or what ought to be a basic security option only offered via a series of hidden super-sekret commands with few

    • If you have proprietary or sensitive info, it ought to be only on a non-connected PC/Mac, whatever.

      There are too many bugs in Windows. I don't care what promises Microsoft and Satya have to say.

  • History repeats (Score:5, Interesting)

    by lucasnate1 ( 4682951 ) on Wednesday March 07, 2018 @12:13PM (#56221995)

    In the past, you could hack into old windows machines by pressing F1 at password prompt. If the help file was missing, it would ask you to browse and find it, which would allow you to right click on executables and run them. Nice to see that some things never change.

    • Re:History repeats (Score:5, Interesting)

      by thegarbz ( 1787294 ) on Wednesday March 07, 2018 @01:58PM (#56222635)

      You didn't even need a missing help file. If you could open the help bubble you could right click and click print. Then from the print dialogue you could open a proper windows help screen. From there if you opened the index search and opened a different help topic you'd get a full windows help screen with menubar. Then just click file, open, navigate to the windows folder, right click on explorer.exe and run it.

  • Easily fixed (Score:2, Informative)

    by Anonymous Coward
    It is a relatively simple matter to configure Cortana to ignore commands when the voiceprint of the issuer is not the owner of a machine account. Simply enabling this option would prevent this type of attack.
    • You're putting a lot of trust in Grandma and Grandpa knowing how to dig into Cortana's config and enable it.

      Not everyone has a family member that can/will help protect them from themselves.

  • Physical access (Score:4, Informative)

    by chaotixx ( 563211 ) on Wednesday March 07, 2018 @12:25PM (#56222083)
    If a determined attacker has physical access to your machine you've lost via any number of methods.
    • by Anonymous Coward

      Why a machine that is "in sleep and locked" does open a browser following user input? This means it's not so locked. And there's the user session still running so that may be a more interesting target than an encrypted turned off PC.

  • by swb ( 14022 ) on Wednesday March 07, 2018 @12:59PM (#56222311)

    Wow, what a fail by Microsoft. It should be beyond obvious to anyone with a pulse that not providing a way to completely disable Cortana opens computers up to an entire Pandora's box of security vulnerabilities.

    It's totally obvious Microsoft is just jamming this down everyone's throat, especially business users, because they know they can get big (and mostly bullshit) "adoption" numbers and operational data for Cortana.

    Of course the larger problem is nobody wants Microsoft's bullshit attempts to re-invent themselves as Google, Amazon/Alexa or Apple/Siri. So they will cram it down everyone's throats and get some minor level of usage just because it's there even though it aggravates most everyone else.

  • Since the last big Windows update Cortana was coming up every time I touched the touchpad, so I just removed Cortana entirely with a Powershell script I found on the Internet.
  • Do these voice assistants respond to any sound frequencies the microphone can pick up? You might be able to pull this off with something people can't hear well, too, if you can trick the algorithm into matching your out of human hearing band to speech.
  • by Anonymous Coward

    I don't get it. The attack as described involves plugging in a compromised network adapter so that you can tell Cortana to go to an insecure website, and instead direct the machine to a different site that serves malware. Why not skip the network adapter, and just tell Cortana to go straight to a malware site instead?

    • I also don't get it: at what point does Windows decide a newly plugged-in USB network adapter should get all traffic routed to it instead of the existing cable/Wi-Fi connection?

      If the weakness is Cortana always listening and able to be directed to a non-SSL web site why not attack the Wi-Fi access point or the modem/router?

      • I also don't get it: at what point does Windows decide a newly plugged-in USB network adapter should get all traffic routed to it instead of the existing cable/Wi-Fi connection?

        Because this is /. and I didn't read TFA, here's the answer to my own question:

        "One of the things we saw was that even when a machine is locked, you can choose the network to which that machine is attached," he notes.

        That's just fucking stupid.

  • ... hackers do a home invasion and make the user type in stuff.

  • However, this seems to prove that it is worse than useless.
  • No Cortana? Check. We're good.
  • it does bother me though that the shutdown and network select is on the lock screen and works without any verification. has since forever.
  • People used to say "a woman's work is never done". At least this story conveys a hint of gender parity.

Bell Labs Unix -- Reach out and grep someone.

Working...